slowness comes from that for very changed rule, we will have a round-trip cost of sending/executing command from management server to resource.
+1 to write ruleset to a file, and if we do complete ruleset rewrite, restarting VR could also be improved (we don't need to refresh rules one by one, we may also be able to do a version check) Kelven On 7/23/13 5:08 AM, "Chiradeep Vittal" <chiradeep.vit...@citrix.com> wrote: >It is quite hard to do a delta update correctly, so a complete rewrite of >the ruleset is the safest way to do it. Not sure why it is "slow", but I'd >compare it to the time taken to start a VM. >One way to make it slightly faster is to write the ruleset to a file and >use iptables-restore from the file. > >On 7/23/13 5:22 PM, "Nguyen Anh Tu" <ng.t...@gmail.com> wrote: > >>Anyone? >> >> >>2013/7/22 Nguyen Anh Tu <ng.t...@gmail.com> >> >>> Hi guys, >>> >>> While working with L3 network services, I found a problem in the >>>process >>> of applying iptables rules. It currently works not good in my opinion. >>>When >>> you apply a new rule (eg. StaticNat or Egress rule), Virtual Router >>>backups >>> old rules and re-apply all of non-revoked rules related to source IP on >>>the >>> new rule, including this one. It causes a slow, especially when you >>>have a >>> lot of running rules. When you delete a rule, the process happens in >>>the >>> same. The deleting rule is marked as "revoked", so it doesn't appear in >>>the >>> list. I think we should have a better approach. >>> >>> Any idea? >>> >>> -- >>> >>> N.g.U.y.e.N.A.n.H.t.U >>> >> >> >> >>-- >> >>N.g.U.y.e.N.A.n.H.t.U >
